A method is disclosed whereby separate but interrelated data is checkpointed and reconstructed within a router. In one embodiment, each connection is checkpointed with a unique connection identifier, and critical data is stored by a firewall application in a checkpoint server provided within a router. When an application module within the firewall crashes, the firewall and associated modules may recover and restore the data from the checkpoint server by re-assembling the data according the unique connection identifier, thus recovering the connections through the router without interruption.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising; executing an application on a network device, the application having a plurality of modules each associated with one or more layers of a hierarchy of communication protocols; storing, in a memory space associated with the application, a connection data structure, the connection data structure storing together data for the plurality of modules of the application for a connection maintained by the network device; forming a unique connection identifier for the connection; independently checkpointing portions of the connection data structure for different modules into a memory space associated with a checkpoint server, the portions of the connection data structure each being embedded with the unique connection identifier and stored separately in the memory space associated with the checkpoint server; and in response to a restart or failure of the application executing on the network device, restoring the connection data structure in the memory space associated with the application, by retrieving the separately stored portions of the connection data structure for at least some of the different modules from the memory space associated with a checkpoint server and combining them to reform the connection data structure in the memory space associated with the application.
2. The method of claim 1 , wherein the independently checkpointing comprises: determining for each module of the plurality of modules when the module requires a checkpoint of the module's portion of the connection data structure; and in response to the determining a particular module requires a checkpoint, checkpointing the particular module's portion of the connection data structure into the memory space associated with the checkpoint server.
3. The method of claim 1 , wherein the independently checkpointing comprises: determining there has been a state change of the connection; and in response to the state change, checkpointing at least one particular module's portion of the connection data structure into the memory space associated with the checkpoint server.
4. The method of claim 1 , wherein the independently checkpointing is performed individually by each module, such that each module checkpoints its own portion of the connection data structure, and the retrieving is performed individually by each module, such that each module retrieves its own portion of the connection data structure.
5. The method of claim 1 , wherein the application is a firewall application and the plurality of modules are modules within the firewall application.
6. The method of claim 1 , wherein the forming a unique connection identifier for the connection comprises: combining a source address and a destination address of a packet associated with the connection.
7. The method of claim 1 , wherein the plurality of modules include at least a module associated with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or File Transfer Protocol (FTP).
8. The method of claim 1 wherein a separate connection data structure is maintained for each connection of a plurality of connections maintained by the network device.
9. The method of claim 1 , further comprising: executing the checkpoint server on the network device along with the application, and wherein the memory space associated with the checkpoint server is memory space provided by the network device separate from the memory space associated with the application.
10. The method of claim 1 , further comprising: executing the checkpoint server on a device other than the network device executing the application.
11. An apparatus comprising: a microprocessor configured to execute an application and a checkpoint server, the application having a plurality of modules each associated with one or more layers of a hierarchy of communication protocols; a memory having a memory space associated with the application and having a separate memory space associated with the checkpoint server; and the microprocessor further configured to execute instructions to store a connection data structure that holds together data for the plurality of modules of the application related to a particular connection maintained by the apparatus, to form a unique connection identifier for the connection, to independently checkpoint portions of the connection data structure for different modules into the memory space associated with the checkpoint server where the portions are each embedded with the unique connection identifier yet stored separately, and to restore, in response to a restart or failure of the application, the connection data structure into the memory space associated with the application, by retrieval of the separately stored portions of the connection data structure for at least some of the different modules from the memory space associated with a checkpoint server and reassembly of the portions to reform the connection data structure in the memory space associated with the application.
12. The apparatus of claim 11 , wherein the instructions to independently checkpoint comprise instructions to determine for each module of the plurality of modules when the module requires a checkpoint of the module's portion of the connection data structure and to, in response to determination a particular module requires a checkpoint, checkpoint the particular module's portion of the connection data structure into the memory space associated with the checkpoint server.
13. The apparatus of claim 11 , wherein the instructions to independently checkpoint comprise instructions to determine there has been a state change of the connection, and to, in response to the state change, checkpoint at least one particular module's portion of the connection data structure into the memory space associated with a checkpoint server.
14. The apparatus of claim 11 , wherein the application is a firewall application and the plurality of modules are modules within the firewall application.
15. The apparatus of claim 11 wherein the instructions to form the unique connection identifier for the connection comprise instructions to combine a source address and a destination address of a packet associated with the connection.
16. The apparatus of claim 11 wherein the plurality of modules include at least a module associated with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or File Transfer Protocol (FTP).
17. The apparatus of claim 11 wherein a separate connection data structure is maintained for each connection of a plurality of connections maintained by the apparatus.
18. A system comprising; a network device with a microprocessor configured to execute an application, the application having a plurality of modules each associated with one or more layers of a hierarchy of communication protocols, the network device further configured to store in a memory space associated with the application a connection data structure, the connection data structure maintaining together data for the plurality of modules of the application for a connection maintained by the network device, the network device further configured to independently checkpoint portions of the connection data structure for different modules; and a checkpoint server configured to store in an associated memory space the independently checkpointed portions of the connection data structure, the portions of the connection data structure each being embedded with a unique connection identifier associated with the connection and stored separately in the memory space associated with the checkpoint server, the checkpoint server configured to, in response to a restart or failure of the application executing on the network device, restore at least a part of the connection data structure to the memory space associated with the application, by retrieval of the separately-stored portions of the connection data structure for at least some of the different modules from the memory space associated with a checkpoint server and reassembly of the portions to reform the at least a part of the connection data structure in the memory space associated with the application.
19. The system of claim 18 , wherein the checkpoint server is further configured to determine for each module of the plurality of modules when the module requires a checkpoint of the module's portion of the connection data structure, and to, in response to determination that a particular module requires a checkpoint, checkpoint the particular module's portion of the connection data structure into the memory space associated with the checkpoint server.
20. The system of claim 18 , wherein the checkpoint server is further configured to determine there has been a state change of the connection, and in response to the state change, checkpoint at least one particular module's portion of the connection data structure into the memory space associated with the checkpoint server.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 29, 2000
October 12, 2010
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.